Chapter 12Chapter 12

Web HackingWeb Hacking

Revised 5-1-09

Web Server Hacking Web Server Hacking

Popular Web ServersPopular Web Servers

Microsoft IIS/ASP/ASP.NETMicrosoft IIS/ASP/ASP.NET

LAMP (Linux/Apache/MySQL/PHP)LAMP (Linux/Apache/MySQL/PHP)

Oracle WebLogicOracle WebLogic– Link Ch 12jLink Ch 12j

IBM WebSphereIBM WebSphere– Link Ch 12kLink Ch 12k

PopularityPopularity

– Link Ch 12lLink Ch 12l

Link Ch 12mLink Ch 12m

Attacking Web Server Attacking Web Server VulnerabilitiesVulnerabilities

An attacker with the right set of tools and An attacker with the right set of tools and ready-made exploits can bring down a ready-made exploits can bring down a vulnerable web server in minutesvulnerable web server in minutes

Some of the most devastating Internet Some of the most devastating Internet worms have historically exploited these worms have historically exploited these kinds of vulnerabilities kinds of vulnerabilities – Code Red and Nimda attacked IIS Code Red and Nimda attacked IIS

vulnerabilitiesvulnerabilities

Why the Risk is DecreasingWhy the Risk is Decreasing

The risk of such attacks is decreasing, The risk of such attacks is decreasing, because:because:– Newer versions of Web servers are less Newer versions of Web servers are less

vulnerablevulnerable– System administrators are better at System administrators are better at

configuring the platformsconfiguring the platforms– Vendor's "best practices" documents are Vendor's "best practices" documents are

betterbetter– Patches come out more rapidlyPatches come out more rapidly

Why the Risk is DecreasingWhy the Risk is Decreasing

Countermeasures are available, such as:Countermeasures are available, such as:– Sanctum/Watchfire's AppShield Sanctum/Watchfire's AppShield

A Web application firewall (link Ch_12n)A Web application firewall (link Ch_12n)

Microsoft's URLScan Microsoft's URLScan – Built in to IIS 6 and IIS 7Built in to IIS 6 and IIS 7

Link Ch_12oLink Ch_12o

Automated vulnerability-scanning products Automated vulnerability-scanning products and tools are availableand tools are available

Web Server Vulnerabilities Web Server Vulnerabilities

Sample filesSample files

Source code disclosureSource code disclosure

CanonicalizationCanonicalization

Server extensionsServer extensions

Input validation (for example, buffer Input validation (for example, buffer overflows)overflows)

Sample filesSample files

Sample scripts and code snippets to illustrate creative Sample scripts and code snippets to illustrate creative use of a platformuse of a platformIn Microsoft's IIS 4.0 In Microsoft's IIS 4.0 – Sample code was installed by default Sample code was installed by default – showcode. asp and codebrews.asp showcode. asp and codebrews.asp – These files enabled an attacker to view almost any file on the These files enabled an attacker to view almost any file on the

server like this:server like this:

http://192.168.51.101/msadc/Samples/http://192.168.51.101/msadc/Samples/SELECTOR/showcode.asp?SELECTOR/showcode.asp?source=/../.. /../../../boot.ini source=/../.. /../../../boot.ini

http://192.168.51.101/iissamples/exair/http://192.168.51.101/iissamples/exair/howitworks/codebrws.asp?howitworks/codebrws.asp?source= source= /../../../../../winnt/repair/setup.log/../../../../../winnt/repair/setup.log

Sample Files CountermeasureSample Files Countermeasure

Remove sample files from production Remove sample files from production webserverswebservers

If you need the sample files, you can get If you need the sample files, you can get patches to improve thempatches to improve them– ColdFusion Expression Evaluator patchColdFusion Expression Evaluator patch– Link Ch 12pLink Ch 12p

Source Code Disclosure Source Code Disclosure

IIS 4 and 5 could reveal portions of source code IIS 4 and 5 could reveal portions of source code through the HTR vulnerability (link Ch 12q)through the HTR vulnerability (link Ch 12q)

Apache Tomcat and Oracle WebLogic had Apache Tomcat and Oracle WebLogic had similar issuessimilar issues

Attack URLs:Attack URLs:http://www.iisvictim.example/global.asa+.htrhttp://www.iisvictim.example/global.asa+.htr

http://www.weblogicserver.example/index.js%70http://www.weblogicserver.example/index.js%70

http://www.tomcatserver.example/examples/jsp/num/http://www.tomcatserver.example/examples/jsp/num/

numguess.js%70numguess.js%70

Source Code Disclosure Source Code Disclosure CountermeasuresCountermeasures

Apply patches (these vulnerabilities were Apply patches (these vulnerabilities were patched long ago)patched long ago)

Remove unneeded sample filesRemove unneeded sample files

Never put sensitive data in source code of Never put sensitive data in source code of filesfiles– You can never be sure source code is hidden You can never be sure source code is hidden

Canonicalization Attacks Canonicalization Attacks

There are many ways to refer to the same There are many ways to refer to the same filefile

C:\text.txtC:\text.txt

..\text.txt ..\text.txt

\\computer\C$\text.txt\\computer\C$\text.txt

The process of resolving a resource to The process of resolving a resource to a standard (canonical) name is called a standard (canonical) name is called canonicalizationcanonicalization

ASP::$DATA VulnerabilityASP::$DATA Vulnerability

Affected IIS 4 and earlier versionsAffected IIS 4 and earlier versions

Just adding ::DATA to the end of an ASP Just adding ::DATA to the end of an ASP page's URL revealed the source codepage's URL revealed the source codehttp://xyz/myasp.asp::$DATA http://xyz/myasp.asp::$DATA

Link Ch 12rLink Ch 12r

Unicode/Double Decode Unicode/Double Decode Vulnerabilities Vulnerabilities

Strings like %c0%af could be used to Strings like %c0%af could be used to sneak characters like \ past URL filterssneak characters like \ past URL filters

Attack URL example:Attack URL example:

http://10.1.1.3/scripts/http://10.1.1.3/scripts/..%c0%af..%c0%af..%c0%af....%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir/winnt/system32/cmd.exe?/c+dir

Exploited by the Nimda wormExploited by the Nimda worm

Canonicalization Attack Canonicalization Attack CountermeasuresCountermeasures

Patch your Web platformPatch your Web platformCompartmentalize your application Compartmentalize your application directory structure directory structure – Limit access of Web Application user to Limit access of Web Application user to

minimal requiredminimal required

Clean URLs with URLScan and similar Clean URLs with URLScan and similar productsproducts– Remove Unicode or double-hex-encoded Remove Unicode or double-hex-encoded

characters before they reach the servercharacters before they reach the server

Server Extensions Server Extensions

Code libraries tacked on to the core HTTP Code libraries tacked on to the core HTTP engine to provide extra featuresengine to provide extra features– Dynamic script execution (for example, Dynamic script execution (for example,

Microsoft ASP)Microsoft ASP)– Site indexingSite indexing– Internet Printing Protocol Internet Printing Protocol – Web Distributed Authoring and Versioning Web Distributed Authoring and Versioning

(WebDAV)(WebDAV)– Secure Sockets Layer (SSL)Secure Sockets Layer (SSL)

Server ExtensionsServer Extensions

Each of these extensions has Each of these extensions has vulnerabilities, such as buffer overflowsvulnerabilities, such as buffer overflows

Microsoft WebDAV Translate: f problem Microsoft WebDAV Translate: f problem – Add "translate: f" to header of the HTTP GET Add "translate: f" to header of the HTTP GET

request, and a \ to the end of the URLrequest, and a \ to the end of the URL– Reveals source codeReveals source code

Links Ch 12u, vLinks Ch 12u, v

Server Extensions Exploitation Server Extensions Exploitation CountermeasuresCountermeasures

Patch or disable vulnerable extensionsPatch or disable vulnerable extensions– The The Translate: fTranslate: f problem was patched long problem was patched long

agoago

Buffer Overflows Buffer Overflows

Web servers, like all other computers, can Web servers, like all other computers, can be compromised by buffer overflowsbe compromised by buffer overflows

The Web server is easy to find, and The Web server is easy to find, and connected to the Internet, so it is a connected to the Internet, so it is a common targetcommon target

Famous Buffer OverflowsFamous Buffer Overflows

IIS HTR Chunked Encoding Transfer Heap IIS HTR Chunked Encoding Transfer Heap OverflowOverflow– Affects Microsoft IIS 4.0, 5.0, and 5.1Affects Microsoft IIS 4.0, 5.0, and 5.1– Leads to remote denial of service or remote code Leads to remote denial of service or remote code

execution at the IWAM_ execution at the IWAM_ MACHINENAMEMACHINENAME privilege privilege levellevel

IIS's Indexing Service extension (idq.dll)IIS's Indexing Service extension (idq.dll)– A buffer overflow used by the infamous Code Red A buffer overflow used by the infamous Code Red

wormworm

Internet Printing Protocol (IPP) vulnerabilityInternet Printing Protocol (IPP) vulnerability

Famous Buffer OverflowsFamous Buffer Overflows

Apache mod_ssl vulnerabilityApache mod_ssl vulnerability– Also known as the Slapper wormAlso known as the Slapper worm– Affects all versions up to and including Apache 2.0.40Affects all versions up to and including Apache 2.0.40– Results in remote code execution at the super-user Results in remote code execution at the super-user

levellevel

Apache also suffered from a vulnerability in the Apache also suffered from a vulnerability in the way it handled HTTP requests encoded with way it handled HTTP requests encoded with chunked encodingchunked encoding– Resulted in a worm dubbed "Scalper"Resulted in a worm dubbed "Scalper"– Thought to be the first Apache worm Thought to be the first Apache worm

Buffer Overflow CountermeasuresBuffer Overflow Countermeasures

Apply software patchesApply software patches

Scan your server with a vulnerability Scan your server with a vulnerability scanner scanner

Web Server Vulnerability Scanners Web Server Vulnerability Scanners

Nikto checks for common Web Nikto checks for common Web server vulnerabilitiesserver vulnerabilities– It is not subtle—it leaves obvious It is not subtle—it leaves obvious

traces in log filestraces in log files– Link Ch 12z01Link Ch 12z01

Whisker is another Web server Whisker is another Web server vulnerability scannervulnerability scanner– Nikto version 2 uses LibWhisker 2, Nikto version 2 uses LibWhisker 2,

so it may replace Whiskerso it may replace Whisker

Nikto DemonstrationNikto Demonstration

Scan DVL Web Server with NiktoScan DVL Web Server with Nikto

Web Application Hacking Web Application Hacking

Attacks on applications themselves, as Attacks on applications themselves, as opposed to the web server software upon opposed to the web server software upon which these applications runwhich these applications run

The same techniquesThe same techniques– Input-validation attacksInput-validation attacks– Source code disclosure attacksSource code disclosure attacks– etc.etc.

Finding Vulnerable Web Apps with Finding Vulnerable Web Apps with Google Google

You can find unprotected directories with You can find unprotected directories with searches like this:searches like this:– "Index of /admin""Index of /admin"– "Index of /password""Index of /password"– "Index of /mail""Index of /mail"

You can find password hints, vulnerable Web You can find password hints, vulnerable Web servers with FrontPage, MRTG traffic analysis servers with FrontPage, MRTG traffic analysis pages, .NET information, improperly configured pages, .NET information, improperly configured Outlook Web Access (OWA) servers…Outlook Web Access (OWA) servers…And many moreAnd many more– Link Ch 1aLink Ch 1a

Web Crawling Web Crawling

Examine a Web site carefully for Low Examine a Web site carefully for Low Hanging Fruit Hanging Fruit – Local path informationLocal path information– Backend server names and IP addressesBackend server names and IP addresses– SQL query strings with passwordsSQL query strings with passwords– Informational comments Informational comments

Look in static and dynamic pages, include Look in static and dynamic pages, include and other support files, source codeand other support files, source code

Web-Crawling Tools Web-Crawling Tools

wget is a simple command-line tool to wget is a simple command-line tool to download a page, and can be used in download a page, and can be used in scriptsscripts– Available for Linux and WindowsAvailable for Linux and Windows– Link Ch 12z03Link Ch 12z03

Offline Explorer Pro Offline Explorer Pro – Commercial Win32 productCommercial Win32 product

Web Application Assessment Web Application Assessment

Once the target application content has Once the target application content has been crawled and thoroughly analyzedbeen crawled and thoroughly analyzed

Probe the features of the applicationProbe the features of the application– AuthenticationAuthentication– Session managementSession management– Database interactionDatabase interaction– Generic input validationGeneric input validation– Application logicApplication logic

Tools for Web Application Tools for Web Application HackingHacking

Browser plug-insBrowser plug-ins

Free tool suitesFree tool suites

Commercial web application scannersCommercial web application scanners

Tamper Data DemoTamper Data Demo

Vulnerable Message BoardVulnerable Message Board

Acts like a proxy serverActs like a proxy server

You can see POST data and alter itYou can see POST data and alter it

This will defeat client-side validationThis will defeat client-side validation

JavaScript DebuggerJavaScript Debugger

Examine and step through JavaScriptExamine and step through JavaScript

Tool SuitesTool Suites

Proxies sit between client and Web Proxies sit between client and Web application server, like a man-in-the-application server, like a man-in-the-middle attackmiddle attack

Midrosoft Fiddler can intercept and log Midrosoft Fiddler can intercept and log requests and responsesrequests and responses

WebGoat DemoWebGoat Demo

Tools for Web Application Tools for Web Application Assessment Assessment

WebScarabWebScarab– Allows user to intercept and alter HTTPAllows user to intercept and alter HTTP– Includes spidering and fuzzingIncludes spidering and fuzzing– Runs on any platformRuns on any platform– Free, from OWASPFree, from OWASP

Burp SuiteBurp Suite– Proxy, Repeater, Sequencer, Spider, IntruderProxy, Repeater, Sequencer, Spider, Intruder– Powerful tool to craft automated attacksPowerful tool to craft automated attacks– Free version is limitedFree version is limited

Expensive Commercial ToolsExpensive Commercial Tools

HP WebInspect and Security ToolkitHP WebInspect and Security Toolkit

Rational AppScanRational AppScan

Cenzic HailstormCenzic Hailstorm

Cenzic HailstormCenzic Hailstorm

Highly rated commercial Web applicaion vulnerability scannerHighly rated commercial Web applicaion vulnerability scanner

We should have a copy to use here soonWe should have a copy to use here soon– Links Ch 11o, 11pLinks Ch 11o, 11p

Common Web Application Common Web Application Vulnerabilities Vulnerabilities

Common Web Application Common Web Application VulnerabilitiesVulnerabilities

Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)

SQL InjectionSQL Injection

Cross-Site Request Forgery (CSRF)Cross-Site Request Forgery (CSRF)

HTTP Response SplittingHTTP Response Splitting

Cross-Site Scripting (XSS) Attacks Cross-Site Scripting (XSS) Attacks

One user injects code that attacks another userOne user injects code that attacks another user

Common on guestbooks, comment pages, Common on guestbooks, comment pages, forums, etc.forums, etc.

Caused by failure to filter out HTML tagsCaused by failure to filter out HTML tags– These characters < > " &These characters < > " &– Also watch out for hex-encoded versionsAlso watch out for hex-encoded versions

%3c instead of <%3c instead of <

%3e instead of >%3e instead of >

%22 instead of "%22 instead of "

Common XSS Payloads Common XSS Payloads

See link Ch 12z06See link Ch 12z06

Cross-Site Scripting Cross-Site Scripting Countermeasures Countermeasures

Filter out < > ( ) # & and the variants of themFilter out < > ( ) # & and the variants of themHTML-encode output, so a character like < HTML-encode output, so a character like < becomes &lt; -- that will stop scripts from runningbecomes &lt; -- that will stop scripts from runningIn IE 6 SP1 or later, an application can set In IE 6 SP1 or later, an application can set HttpOnly Cookies, which prevents them from HttpOnly Cookies, which prevents them from being accessed by scriptsbeing accessed by scripts

Analyze your applications for XSS vulnerabilitiesAnalyze your applications for XSS vulnerabilities– Fix the errors you findFix the errors you find

Common Web Application Common Web Application Vulnerabilities Vulnerabilities

SQL Injection SQL Injection

SQL Injection ComicSQL Injection Comic

xkcd.org – a great comicxkcd.org – a great comic

Link Ch 11iLink Ch 11i

Automated SQL Injection Tools Automated SQL Injection Tools

WpoisonWpoison– Runs on Linux Runs on Linux

SPIKE Proxy SPIKE Proxy mieliekoek.plmieliekoek.pl– SQL insertion crawler that tests all forms on a SQL insertion crawler that tests all forms on a

website for possible SQL insertion problems website for possible SQL insertion problems

SPI Dynamics' SPI ToolkitSPI Dynamics' SPI Toolkit– Contains SQL Injector that automates SQL Contains SQL Injector that automates SQL

injection testing injection testing

SQL Injection Countermeasures SQL Injection Countermeasures

Perform strict input validationPerform strict input validation

Replace direct SQL statements with stored Replace direct SQL statements with stored procedures, prepared statements, or ADO procedures, prepared statements, or ADO command objectscommand objects– That way they can't be modifiedThat way they can't be modified

Implement default error handlingImplement default error handling– Use a general error message for all errorsUse a general error message for all errors

SQL Injection Countermeasures SQL Injection Countermeasures

Lock down ODBCLock down ODBC– Disable messaging to clients. Don't let regular Disable messaging to clients. Don't let regular

SQL statements through. This ensures that no SQL statements through. This ensures that no client, not just the web application, can client, not just the web application, can execute arbitrary SQL.execute arbitrary SQL.

Lock down the database server Lock down the database server configurationconfiguration– Specify users, roles, and permissions, so Specify users, roles, and permissions, so

even if SQL statements are injected, they even if SQL statements are injected, they can't do any harmcan't do any harm

Cross-Site Request Forgery (CSRF)Cross-Site Request Forgery (CSRF)

Hijack a session by stealing cookiesHijack a session by stealing cookies

We did this with hamster and ferretWe did this with hamster and ferret

HTTP Response SplittingHTTP Response Splitting

Demonstrated earlier with WebGoatDemonstrated earlier with WebGoat